Cyber Incident Victim: Hon Hai Precision Industry Co., Ltd.
Date:
Nov 2020
Location:
Mexico
Summary
A major electronics manufacturer suffered a ransomware attack targeting its North American operations at a Mexican facility during the Thanksgiving weekend, with the DoppelPaymer group encrypting servers, exfiltrating unencrypted data, and destroying backups. The attackers demanded approximately $34 million in Bitcoin, claiming to have compromised over a thousand servers and deleted significant backup volumes. The company confirmed the incident, stating affected systems were undergoing inspection and phased restoration while collaborating with cybersecurity experts and law enforcement to investigate the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 29, 2020, Foxconn Precision Industry Co., Ltd. suffered a ransomware attack targeting its Foxconn CTBG MX facility in Ciudad Juárez, Mexico. The DoppelPaymer ransomware gang executed the attack over the Thanksgiving weekend, compromising systems at this critical North American operational hub responsible for electronics assembly and continental distribution. Attackers exfiltrated approximately 100 GB of unencrypted business documents before encrypting devices across the facility's network. They subsequently destroyed an estimated 20-30 TB of backup data from a total of 75 TB available, significantly impairing recovery options. The threat actors encrypted 1,200-1,400 servers but avoided targeting individual workstations. Following the encryption, DoppelPaymer published samples of stolen generic business documents on their data leak site, though no financial records or employee personal information appeared in the leak. The facility's website became inaccessible after the attack, displaying persistent errors to visitors.
Foxconn confirmed the cybersecurity incident on December 7, 2020, acknowledging the compromise of an information system supporting Americas operations. The company initiated a phased restoration of affected systems while collaborating with cybersecurity experts and law enforcement agencies to investigate the breach's full scope. DoppelPaymer demanded a ransom of 1,804.0955 Bitcoin ($34,686,000) through a dedicated Tor payment portal, threatening to release additional stolen data. Foxconn's public statement emphasized ongoing efforts to restore services and identify the perpetrators for legal action. The attack exclusively impacted North American infrastructure rather than global operations, with the Mexican facility's operations disrupted during the incident response period. Historical context showed DoppelPaymer's prior targeting of major entities including Compal, PEMEX, and municipal governments, establishing patterns in their ransomware operations against high-value targets.